[openssl-users] 'FIPS_CIPHERINIT:disabled' in fips mode error in 1.0.1e
jonetsu
jonetsu at teksavvy.com
Mon Oct 26 20:44:59 UTC 2015
In 1.0.1e the following is observed when using OpenSSL in FIPS mode:
% OPENSSL_FIPS=1 openssl pkcs12 -export -in
/tmp/ipsec.d/certs/192.168.11.1 -inkey
/tmp/ipsec.d/private/192.168.11.1 -name 192.168.11.1 -out
/tmp/ipsec.d/192.168.11.1.p12 -password pass:""
3067167952:error:060A60A3:digital envelope
routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142:
3067167952:error:06074078:digital envelope
routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205:
3067167952:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor
cipherinit error:p12_decr.c:83:
3067167952:error:2306C067:PKCS12
routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175:
3067167952:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt
error:p12_add.c:202:
In 'Re: PKCS12 keystore creation failing in fips mode' (May 29,
2013 9:15pm) the following is said:
"That's a bug in 1.0.1 in that it tries to use an unapproved
algorithm in FIPS mode. Workaround: use the -descert option."
It is not possible for us to upgrade OpenSSL, but it would be
possible to apply a patch. Does a patch exist that fixes this
problem and if so, where can it be found ? I do not know how
development is organized for OpenSSL (bug tracker, git ?)
Thanks !
More information about the openssl-users
mailing list